summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ah_decrypt.c10
-rw-r--r--src/vnet/ipsec/ah_encrypt.c9
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/esp_encrypt.c8
-rw-r--r--src/vnet/ipsec/ikev2.c5
-rw-r--r--src/vnet/ipsec/ipsec.api8
-rw-r--r--src/vnet/ipsec/ipsec_api.c12
-rw-r--r--src/vnet/ipsec/ipsec_cli.c1
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.c14
-rw-r--r--src/vnet/ipsec/ipsec_sa.h10
11 files changed, 66 insertions, 18 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 7d2bf814fcc..629e7f031c4 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -81,7 +81,7 @@ ah_decrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, next_index, *to_next;
+ u32 n_left_from, *from, next_index, *to_next, thread_index;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
from = vlib_frame_vector_args (from_frame);
@@ -89,6 +89,7 @@ ah_decrypt_inline (vlib_main_t * vm,
int icv_size = 0;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,6 +132,9 @@ ah_decrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter (&ipsec_sa_counters,
+ thread_index, sa_index0);
+
if (is_ip6)
{
ip6_ext_header_t *prev = NULL;
@@ -164,8 +168,10 @@ ah_decrypt_inline (vlib_main_t * vm,
}
}
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
- sa0->total_data_size += i_b0->current_length;
icv_size =
em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index 66286094682..5f6a0991be3 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -84,13 +84,14 @@ ah_encrypt_inline (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * from_frame,
int is_ip6)
{
- u32 n_left_from, *from, *to_next = 0, next_index;
+ u32 n_left_from, *from, *to_next = 0, next_index, thread_index;
int icv_size = 0;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
ipsec_main_t *im = &ipsec_main;
ipsec_proto_main_t *em = &ipsec_proto_main;
next_index = node->cached_next_index;
+ thread_index = vm->thread_index;
while (n_left_from > 0)
{
@@ -131,9 +132,9 @@ ah_encrypt_inline (vlib_main_t * vm,
AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
goto trace;
}
-
-
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
ssize_t adv;
ih0 = vlib_buffer_get_current (i_b0);
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 5a3ccdcacd9..0cf31ffb000 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -193,7 +193,9 @@ esp_decrypt_inline (vlib_main_t * vm,
}
}
- sa0->total_data_size += i_b0->current_length;
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e1690439c88..ffa02115858 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -182,6 +182,9 @@ esp_encrypt_inline (vlib_main_t * vm,
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
+ vlib_prefetch_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0);
+
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
clib_warning ("sequence number counter has cycled SPI %u",
@@ -195,8 +198,6 @@ esp_encrypt_inline (vlib_main_t * vm,
goto trace;
}
- sa0->total_data_size += i_b0->current_length;
-
/* grab free buffer */
last_empty_buffer = vec_len (empty_buffers) - 1;
o_bi0 = empty_buffers[last_empty_buffer];
@@ -330,6 +331,9 @@ esp_encrypt_inline (vlib_main_t * vm,
}
ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG);
+ vlib_increment_combined_counter
+ (&ipsec_sa_counters, thread_index, sa_index0,
+ 1, i_b0->current_length);
if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
{
diff --git a/src/vnet/ipsec/ikev2.c b/src/vnet/ipsec/ikev2.c
index 3d5c0f766cf..d85feee4274 100644
--- a/src/vnet/ipsec/ikev2.c
+++ b/src/vnet/ipsec/ikev2.c
@@ -3376,6 +3376,7 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
ikev2_sa_t *fsa = 0;
ikev2_child_sa_t *fchild = 0;
f64 now = vlib_time_now (vm);
+ vlib_counter_t counts;
/* Search for the SA and child SA */
vec_foreach (tkm, km->per_thread_data)
@@ -3394,11 +3395,13 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa)
}));
/* *INDENT-ON* */
}
+ vlib_get_combined_counter (&ipsec_sa_counters,
+ ipsec_sa->stat_index, &counts);
if (fchild && fsa && fsa->profile && fsa->profile->lifetime_maxdata)
{
if (!fchild->is_expired
- && ipsec_sa->total_data_size > fsa->profile->lifetime_maxdata)
+ && counts.bytes > fsa->profile->lifetime_maxdata)
{
fchild->time_to_expiration = now;
}
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index ece0b024485..91d21d4dce9 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -293,13 +293,19 @@ typedef ipsec_sad_entry
@param context - sender context, to match reply w/ request
@param entry - Entry to add or delete
*/
-autoreply define ipsec_sad_entry_add_del
+define ipsec_sad_entry_add_del
{
u32 client_index;
u32 context;
u8 is_add;
vl_api_ipsec_sad_entry_t entry;
};
+define ipsec_sad_entry_add_del_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief IPsec: Update Security Association keys
@param client_index - opaque cookie to identify the sender
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 2d464b31290..a26f486d6ef 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -354,7 +354,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ipsec_integ_alg_t integ_alg;
ipsec_protocol_t proto;
ipsec_sa_flags_t flags;
- u32 id, spi;
+ u32 id, spi, sa_index;
int rv;
#if WITH_LIBSSL > 0
@@ -390,7 +390,7 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
rv = ipsec_sa_add (id, spi, proto,
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
- 0, &tun_src, &tun_dst, NULL);
+ 0, &tun_src, &tun_dst, &sa_index);
else
rv = ipsec_sa_del (id);
@@ -399,7 +399,12 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
#endif
out:
- REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY);
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
+ {
+ rmp->stat_index = htonl (sa_index);
+ });
+ /* *INDENT-ON* */
}
static void
@@ -708,7 +713,6 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
}
if (sa->use_anti_replay)
mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
- mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
vl_api_send_msg (reg, (u8 *) mp);
}
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 52a30a428d0..22fbcdf9599 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -594,6 +594,7 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm,
vlib_cli_command_t * cmd)
{
vlib_clear_combined_counters (&ipsec_spd_policy_counters);
+ vlib_clear_combined_counters (&ipsec_sa_counters);
return (NULL);
}
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 04a2a0b5be1..dc66569702e 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -238,6 +238,7 @@ format_ipsec_sa (u8 * s, va_list * args)
{
u32 sai = va_arg (*args, u32);
ipsec_main_t *im = &ipsec_main;
+ vlib_counter_t counts;
u32 tx_table_id;
ipsec_sa_t *sa;
@@ -261,6 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args)
s = format (s, "\n integrity alg %U%s%U",
format_ipsec_integ_alg, sa->integ_alg,
sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key);
+ vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
+ s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
if (sa->is_tunnel)
{
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index c4721c7afad..fc8520d5ebb 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -16,6 +16,16 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/fib/fib_table.h>
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+vlib_combined_counter_main_t ipsec_sa_counters = {
+ .name = "SA",
+ .stat_segment_name = "/net/ipsec/sa",
+};
+
+
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
u32 sa_index, int is_add)
@@ -106,8 +116,12 @@ ipsec_sa_add (u32 id,
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
sa_index = sa - im->sad;
+ vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
+ vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
+
sa->id = id;
sa->spi = spi;
+ sa->stat_index = sa_index;
sa->protocol = proto;
sa->crypto_alg = crypto_alg;
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 2e39566bd63..2601f51038a 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -101,6 +101,7 @@ typedef struct
fib_node_t node;
u32 id;
u32 spi;
+ u32 stat_index;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
@@ -131,11 +132,14 @@ typedef struct
u32 last_seq;
u32 last_seq_hi;
u64 replay_window;
-
- /* lifetime data */
- u64 total_data_size;
} ipsec_sa_t;
+/**
+ * @brief
+ * SA packet & bytes counters
+ */
+extern vlib_combined_counter_main_t ipsec_sa_counters;
+
extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
extern int ipsec_sa_add (u32 id,